On 10/26/2017 07:18 PM, Chris Newman wrote:
Line 304
preference to services supporting STARTTLS (if offered). (See
also Section 4.5.)
I note that 6186 is kind of unclear on what should go in SNI. It
obviously
needs to be what you are checking against (which 6186 gets right)
but maybe
it's worth clarifying in this document somewhere.
Hmm. I might need to come back to that one. Lots of layers to
sift through. Feel free to suggest text.
I believe RFC 7817 handles this issue sufficiently.
Not sure whether EKR was referring specifically to the use of SNI with
SRV records or not, but that's what I had assumed he meant. So far I
haven't found any specific advice for (a) what name the MUA should
specify in SNI, or (b) what names the server should recognize and have
certificates for. It's pretty clear that the server needs to have a
certificate for the name on the right hand side of the SRV record, but
should it also have a certificate for the name on the left hand side?
(e.g. _pop3s._tcp.example.com?) That would potentially make SRV
discovery more secure.
But I think that's well beyond what the WG (and IESG) approved. So I
guess I'm inclined to leave the -10 text as it is now without
specifically addressing this issue.
Keith
_______________________________________________
Uta mailing list
Uta@ietf.org
https://www.ietf.org/mailman/listinfo/uta
